GSA puts robust IT security programs and solutions in place to ensure privacy and security for its data and systems. GSA’s Chief Information Security Officer, Kurt Garbars explains how this is accomplished in an Agile Cloud Environment.
Conventional security control take four to six months to implement, rendering development anything but agile. Alternative options, however, enhance security without slowing down the process. The first one is short term for those teams that really need to get their systems up and running quickly and the other one is longer term, which will be more repeatable and more sustainable.
GSA has been helping its partners adopt the cloud by easing the process of implementing it. Through FedRAMP, GSA is giving federal agencies a single, standardized approach to cloud security assessments, authorization, and monitoring. FedRAMP allows for a single clearance process for cloud technologies that allows them to be used by multiple agencies, saving the government time, money and staff by eliminating redundant agency security assessments.
What I propose is what I call the Lightweight ATO (LATO) process. The LATO process starts with a FedRAMP Infrastructure as a Service (IaaS) ATO (http://cloud.cio.gov/fedramp) and builds from there. Although the LATO process only consists of 24 controls, this process is anything but lightweight once all the controls are implemented. This process will provide a comprehensive set of controls to protect data in the cloud, whether it is a company’s latest marketing strategy, the government’s drawings or a celebrity’s selfies. The idea here is the quality of the security controls and not the quantity. It is also about REAL implementation of security controls rather than thousands of pages documenting security controls. The agile development teams are not going to wait around while the security teams cross every “t” and dot every “i” in a system security plan with 250-plus controls. You may think you’re helping security by demanding they go through a lengthy process, but with LATO you can quickly satisfy the needs for security with the agile cloud team. For those of you who live and die by NIST 800-53 (now R4), I propose implementation, documentation and assessment/testing of the following 24 controls:
| AC-2 | Account Management |
| AC-3 | Access Enforcement |
| AC-6 | Least Privilege |
| AU-2 | Audit Events |
| AU-6 | Audit Review, Analysis and Reporting |
| CA-8 | Penetration Testing |
| CM-2 | Baseline Configuration |
| CM-3 | Configuration Change Control |
| CM-6 | Configuration Settings |
| CM-8 | Information System Component Inventory |
| IA-2 | Identification and Authentication (Organizational Users) |
| IA-2 (1) | Identification and Authentication (Organizational Users) Network Access to Privileged Accounts |
| IA-2 (2) | Identification and Authentication (Organizational Users) Network Access to Non-Privileged Accounts |
| IA-2 (12) | Identification and Authentication Acceptance of PIV Credentials |
| PL-8 | Information Security Architecture |
| RA-5 | Vulnerability Scanning |
| SA-22 | Unsupported System Components |
| SA-11 (1) | Developer Security Testing and Evaluation/ Static Code Analysis |
| SC-7 | Boundary Protection |
| SC-13 | Cryptographic Protection/ FIPS Validated Cryptography |
| SC-28 (1) | Protection of Info at Rest/ Cryptographic Protection* Applicable to systems with Personally Identifiable Information or Sensitive data |
| SI-2 | Flaw Remediation |
| SI-4 | Information System Monitoring |
| SI-10 | Information Input Validation |
I would argue that if you truly implement these 24 controls and continuously monitor and secure these systems, they will be more secure than at least 95 percent of all the systems you have deployed. There are obviously other controls implemented/inherited, including the FedRAMP IaaS controls and any enterprise-wide management/operational controls you have implemented for all systems (e.g. incident response, business continuity, document marking, etc), but these are the 24 to which every team standing up an agile developed system in the cloud must adhere to. I’m sure there will be the few that comment back that the GSA CISO has lost his mind, but I’m equally sure the silent majority would agree with me.
Also, these 24 controls don’t have to be an “end all, be all.” This can just be a starting set to build on as you determine your own risk posture and the ongoing threats to your systems.
I spoke earlier as this being the short-term solution. The longer term solution is very similar. The primary difference is to build out the platform as a service (PaaS) architecture in a secure manner including a secure enclave, OS, middleware, authentication, auditing/logging and anything else that can be securely reused/inherited by the development team. This would allow the developers to focus on secure coding to include application specific auditing/logging, authorization and access controls.
GSA is undoubtedly a leader in developing innovative, cost-saving, solutions that will be shared across the government. In this instance, we’re currently piloting the LATO process and the security team is working closely with our agile development teams. As we learn more about each other’s processes, this will only get better. For those of you who are already starting to freak out about the other 225+ controls, we’re currently providing a one year ATO for moderate impact systems that go through this process and a three-year ATO for low-impact systems. The goal is to work within the NIST risk-management framework to optimize IT security and reduce risk in an ever-changing world. As cloud security monitoring tools continue to mature, we would like to further integrate this LATO process into our continuous diagnostics and mitigation program.
